archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

router_linux: fix behaviour when switching --netfilter-mode.

Browse Source 
On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
pull/418/head
Avery Pennarun 5 years ago
parent a496cdc943
commit 9ff51909a3
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File

4
cmd/tailscale/tailscale.go
Unescape Escape View File

@ -212,10 +212,10 @@ func runUp(ctx context.Context, args []string) error {
prefs.NetfilterMode = router.NetfilterOn prefs.NetfilterMode = router.NetfilterOn
case "nodivert": case "nodivert":
prefs.NetfilterMode = router.NetfilterNoDivert prefs.NetfilterMode = router.NetfilterNoDivert
warning("netfilter in nodivert mode, you must add calls to Tailscale netfilter chains manually") warning("netfilter=nodivert; add iptables calls to ts-* chains manually.")
case "off": case "off":
prefs.NetfilterMode = router.NetfilterOff prefs.NetfilterMode = router.NetfilterOff
warning("netfilter management disabled, you must write a secure packet filter yourself") warning("netfilter=off; configure iptables yourself.")
default: default:
log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode) log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
} }

18
wgengine/router/router_linux.go
Unescape Escape View File

@ -106,13 +106,9 @@ func (r *linuxRouter) Up() error {
if err := r.delLegacyNetfilter(); err != nil { if err := r.delLegacyNetfilter(); err != nil {
return err return err
} }
if err := r.delNetfilterHooks(); err != nil { if err := r.setNetfilterMode(NetfilterOff); err != nil {
return err
}
if err := r.delNetfilterBase(); err != nil {
return err return err
} }
if err := r.addBypassRule(); err != nil { if err := r.addBypassRule(); err != nil {
return err return err
} }
@ -130,10 +126,7 @@ func (r *linuxRouter) down() error {
if err := r.delBypassRule(); err != nil { if err := r.delBypassRule(); err != nil {
return err return err
} }
if err := r.delNetfilterHooks(); err != nil { if err := r.setNetfilterMode(NetfilterOff); err != nil {
return err
}
if err := r.delNetfilterBase(); err != nil {
return err return err
} }
@ -229,12 +222,19 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
switch mode { switch mode {
case NetfilterOff: case NetfilterOff:
switch r.netfilterMode {
case NetfilterNoDivert:
if err := r.delNetfilterBase(); err != nil {
return err
}
case NetfilterOn:
if err := r.delNetfilterHooks(); err != nil { if err := r.delNetfilterHooks(); err != nil {
return err return err
} }
if err := r.delNetfilterBase(); err != nil { if err := r.delNetfilterBase(); err != nil {
return err return err
} }
}
r.snatSubnetRoutes = false r.snatSubnetRoutes = false
case NetfilterNoDivert: case NetfilterNoDivert:
switch r.netfilterMode { switch r.netfilterMode {

Write Preview
Loading…
Cancel
Save